Security Basics mailing list archives
RE: A question about modem security
From: Steven Trewick <STrewick () joplings co uk>
Date: Tue, 27 Apr 2004 09:54:30 +0100
I have read somewhere that dial-up questions using modems are inherently insecure. Can somebody please explain to me why it is so? Thanks,
It isn't so. What was your source ? A dial up modem connection is no more 'inherently' insecure than any other kind of connection.
Due to the lack of encryption on the connection. Which is caused by the limited amount of packets than can be sent over dial up speeds.
This is simply not true, you can send as many packets as you like, (although obviously you will incur a time penalty), but aside from that, not having encryption enabled makes dial up lines no more 'inherently' insecure than any other unencrypted connection (EG nearly all of them). Encryption is most certainly not the issue.
The insecurity comes from the fact that anyone is capable of connecting to the modem simply by dialling it and then can brute force there way onto a system. Also most modems are left on systems by non-administrators (ie some guy in the off) who do not make any attempt to secure them.
By and large, that isn't true either. Firstly, lets look at typical deployment roles for a modem. 1) Client dial out In this scenario, a user has a modem attached to her machine which she uses to dial out to connect to remote machines (eg her ISP) Firstly, by far the majority of modems will not pick up incoming calls out of the box. This has been the default on every modem I have seen since the 80s from my first 1200 baud to my last 56kbps Secondly, even assuming the modem *was* configured to autoanswer, either by default or because the user changed the setting, it makes no difference if there no terminal software on the machine capable of accepting an incoming connection. Thirdly, again, even if the modem is configured to answer inbound calls, an 'attacker' would have to find it. This involves a social engineering attack or a wardial. In the first case, the 'attacker' must be aware of the existence of the modem and have some motivation to dial into it. Its feasible that a modem would be found by a random wardial*[1], but if it was, the above two issues will prevent anything other than the inference that there is a modem connected system, even in the worst case scenario. All of this assumes that the line the modem is on is directly available to outside callers. While this is (probably) true of a domestic line, not all organisations offer all their staff a DDI*[2] number. 2) Server dial in. In this scenario, the modem will pick up inbound calls by default, and will route them to some form of accepting software on the remote host. (EG a terminal program or a PPP login, etc) In this scenario, the first two mitigations from above will not protect us, as we are allowing dial ins to connect to our back end systems. However, the likelihood of someone being able to 'simply dial in and brute force' *should* most certainly be mitigated by the fact that our mission critical host is logging such things, and will alert our eagle eyed sysadmins to the problem, should such a thing occur. There are certainly other things to consider, such as ease of physical access to telecomms infrastructure (cables, junction boxes, etc) on the path between nodes, but these factors exist for any method of communications. In a worst case scenario, dangerously configured, open modem connections most certainly are a security nightmare. However, there is no particular 'inherent' reason that this should be so. HTH *[1] this is less true outside the US, since many countries have no free local calls, thus presenting a significant barrier to entry for would be wardiallers. *[2] Direct Dial Inward, the ability of the PBX in your org to forward outside calls direct to your desk phone as though it was really an external facing line with its own telephone number. </code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- A question about modem security Adnan Ali (Apr 24)
- Re: A question about modem security David Williams (Apr 26)
- RE: A question about modem security David M (Apr 26)
- <Possible follow-ups>
- RE: A question about modem security Andrew Shore (Apr 26)
- RE: A question about modem security Steven Trewick (Apr 27)